The Biggest Violators of App Policy

By Lori Castle, Editor in Chief — April 28, 2014

Apps are everywhere in the enterprise, but they are not usually enterprise apps. IT is creating policies, but some of the most core business functions are the biggest violators, and the cloud is turning exception into acceptance.

Using aggregated, anonymized data from the Netskope Active Platform, the Netskope Cloud Report reveals alarming habits when it comes to app usage in the enterprise. The research looks at billions of cloud app events seen across hundreds of thousands of users from January to March 2014.

Hundreds of Apps in Use
The report found that enterprises ran an average of 461 cloud apps, and 85% were not enterprise-ready, scoring a “medium” or below in the Netskope Cloud Confidence Index. Plus, since the same cloud report in January, there was a 14% increase in the average number of apps used by enterprises. IT continues to approximate that 40-50 apps are in use, but they are underestimating by 9 to 10 times.

Wait, “used by the enterprise?”…Enterprises are not really adopting the public apps, right? It's the employees isn't it?

“It’s both,” confirmed Jamie Barnett, Netskope's VP of Market Data in an interview with Mobile Enterprise. “In some cases, it’s users. In some, it’s small workgroups. In some, it’s lines of business. AND it’s the business overall. This is played out in the sheer number of apps per category. There are 47 marketing cloud apps per enterprise; 37 HR apps; and 27 finance/accounting apps. And, not in the report, CRM and salesforce automation is 22; software development is 21. These are business groups using ‘business apps’ for business purposes. This is in addition to employees using social and storage for business and personal, and sometimes a mix of the two.”

What Happened in Cloud Apps?
Top activities in cloud apps included “create,” “edit,” “download,” “share” and “delete.” Activities such as downloading and sharing of data that may contain customer information, intellectual property or other proprietary information should be red flags for IT admins, as such activities can signal data leakage.

Where Did Policy Violations Occur?
While IT has started to build policies around cloud app usage in an effort to enable (rather than block as discussed below) cloud app usage in the enterprise, and to have more control over how information is shared and protected, there is plenty of abuse.

The categories in which policy violations occurred most were storage, social, software development, finance/accounting and customer relationship management/sales force automation, with the vast majority being in storage.

The activities that most often constituted policy violations were “upload,” “edit” and “post.” The most frequent violation was uploading to cloud storage apps specifically. While many enterprises adopted granular policies aimed at protecting data, one violation that did not rank highly was “login.”

This data point indicates that as enterprises establish more granular usage policies that provide control over business-sensitive data, they can allow more users to login with confidence and move away from the sledgehammer “block” approach.

Who Was Using Cloud Apps?
The top five app categories were marketing, HR, collaboration, storage and finance/accounting. Apps within these categories can contain sensitive information such as business intelligence or personally identifiable employee data.

As mentioned, marketing, HR and finance/accounting apps were in use by organizations. These categories were also among the least enterprise-ready: 97% of marketing apps and 94% of both HR and finance/accounting apps rated “medium” or below in the “Netskope Cloud Confidence Index.” Overall, 60% of cloud app usage occurred in non-enterprise-ready apps.

According to Barnett, “In our analysis we look at usage and app counts (number of apps per enterprise) per category (categorization of the apps). This stat indicates the average number of apps per category, and then we pick the top 5. IT and security professionals are always surprised at the number of cloud HR and finance/accounting apps because some of those may be beholden to regulatory compliance, or house data that’s important to the business or protected personally-identifiable information. They are also taken aback by the sheer number of cloud storage apps. They expect to see the big names like Box, Dropbox, and Google Drive, but they are surprised by the long tail and especially by the activity in that long tail.”

Blocking & Tackling
Enterprises often start by simply blocking the apps from the cloud in the first place, but the report shows that 90% of usage was in apps that had been blocked by network perimeter appliances and had been granted exceptions.

This trend of the exception being the rule suggests that wholesale blocking done by firewalls and secure web gateways isn’t practical and only creates a false sense of security. The reason for so many exceptions? “Business practice and process have outgrown the way we enforce our policies when it comes to cloud and SaaS apps,” said Barnett.

Here’s how it works: A well-meaning IT or security professional sets a policy against, say, using Twitter and Dropbox. Then, some poor marketing person whose whole job is to Tweet about new product releases, goes to IT and begs for an exception. IT sees that the person’s use case is real and grants the exception. Soon, the whole marketing team gets this exception because they, too, want to promote their products.

“Then, the CEO, who has just gotten religion about being ‘out there’ on social media, also asks for an exception…for the entire executive team, which is granted, of course,” she continues. “Then Customer Support needs access because they’re monitoring social media to gauge sentiment and heading off complaints that can blow up on social media before they ever reach the support desk. And Business Development asks for exceptions to the Dropbox policy because they need to collaborate on documents and plans with partners and suppliers, and that process needs to be drop-dead easy because, if it isn’t, partners will go elsewhere. Again, granted. And so it goes…until you have the vast majority of usage in the exceptions, and the exceptions truly become the rule.”

Virtually every business unit and functional department in organizations today have business processes that rely on cloud apps, and their lives are made so much better by those apps that they can no longer be denied. There are well-intentioned people on all sides, but business practices that have just matured beyond the enforcement mechanisms, she pointed out.

What to Do
Barnett recommends three steps to fill the gaps.

Discover what cloud apps are in use and assess their enterprise readiness (defined by security, audit ability and business continuity).

Understand usage within those apps within the context of your business policies and goals (for example, if you are a biotech company and running clinical trials using cloud big data tools, and need to understand whether ePHI is being uploaded to the cloud: you should find when, where and to what apps, and whether content is being shared outside of the company from those apps). This level of visibility will help you triage and figure out what to do next.

Enforce granular policies that focus on the specific risks you face while continuing to enable the business process (so people won’t go around you). An example of this, taking point 2 a step further, is to continue to allow use of those big data apps for clinical trials (which can give the business a tremendous competitive advantage), but set a policy preventing the specific upload of ePHI.

“The writing is on the wall—enterprises are continuing to adopt cloud apps and are more invested than ever in protecting their data. We saw that enterprises who block apps with network perimeter technologies, like next-gen firewalls and secure web gateways, aren't achieving their objectives because of all the exceptions.” said Sanjay Beri, CEO and founder, Netskope. “We call this phenomenon ‘exception sprawl.’ If enterprises can learn one lesson from this report, it’s that the dam has broken on cloud app usage. To address this, IT needs to leverage solutions that provide context around app usage and enact security controls at the user, device and activity level.”

topics

Must See

FEATURED REPORT

Logic would lead to the conclusion that utilizing a mobile first strategy—designing experiences for mobile devices and processes, with the mobile user in mind—would automatically lead to mobile productivity, but that is not the reality. Here are the critical things needed to take mobile productivity to the next level.